diff --git a/bin/yara-generator/requirements.txt b/bin/yara-generator/requirements.txt new file mode 100644 index 000000000..fae34db43 --- /dev/null +++ b/bin/yara-generator/requirements.txt @@ -0,0 +1 @@ +pefile diff --git a/bin/yara-generator/yara-generator.py b/bin/yara-generator/yara-generator.py index 87fd3e8fb..7022d2ec9 100644 --- a/bin/yara-generator/yara-generator.py +++ b/bin/yara-generator/yara-generator.py @@ -151,9 +151,34 @@ def generate_yara_rules(header_infos, yaml_infos, debug, driver_filter, strict, for hi in header_infos: # Get YAML info to determine the type of rule yaml_info = get_yaml_info_for_sample(hi['sha256'][0], yaml_infos) - - if yaml_info is None: - print(f"No YAML info found for file with SHA256: {hi['sha256'][0]}. Skipping this file.") + # If no YAML info is found, skip the rule generation + if not yaml_info: + Log.info("No YAML info found for %s - skipping YARA rule generation" % hi['file_names']) + continue + # Category and values + type_driver = "vulnerable driver" + type_string = "PUA_VULN" + type_desc = "vulnerable" + type_score = 40 + if renamed: + type_score = 70 + type_string = "PUA_VULN_Renamed" + # for malicious drivers + if 'Category' in yaml_info: + #print(yaml_info['Category']) + if yaml_info['Category'] == "malicious": + type_driver = "malicious" + type_string = "MAL_" + type_desc = "malicious" + type_score = 70 + if strict: + type_score = 85 + # File names (use the file names in field 'Tags' otherwise use the driver file names) + file_names = hi['file_names'] + if 'Tags' in yaml_info: + file_names = yaml_info['Tags'] + # Apply filter + if driver_filter is not type_driver: continue # Category and values @@ -254,6 +279,7 @@ def get_yaml_info_for_sample(sample_hash, yaml_infos): # Loop over YAML infos and find the sample using its hash for yi in yaml_infos: for sample_info in yi['KnownVulnerableSamples']: + # print(sample_info) sample_hashes = [] if 'MD5' in sample_info: sample_hashes.append(sample_info['MD5']) @@ -320,6 +346,7 @@ def removeNonAsciiDrop(s): parser.add_argument('-y', nargs='*', help='Path to YAML files with information on the drivers (can be used multiple times)', metavar='yaml-files', default=['../../yaml/']) + parser.add_argument('-f', help="Write a log file)", metavar='log-file', default='yara-generator.log') parser.add_argument('-o', help="Output folder for rules", metavar='output-folder', default='../../detections/yara/') parser.add_argument('--debug', action='store_true', default=False, help='Debug output') @@ -332,6 +359,10 @@ def removeNonAsciiDrop(s): Log.setLevel(logging.INFO) if args.debug: Log.setLevel(logging.DEBUG) + # File Handler + fileHandler = logging.FileHandler(args.f) + fileHandler.setFormatter(logFormatter) + Log.addHandler(fileHandler) # Console Handler consoleHandler = logging.StreamHandler() consoleHandler.setFormatter(logFormatter) @@ -360,8 +391,8 @@ def removeNonAsciiDrop(s): yara_rules_vulnerable_drivers_strict_renamed = generate_yara_rules(file_infos, yaml_infos, args.debug, driver_filter="vulnerable driver", strict=True, renamed=True) # Write the output files - # The sets - output_file = os.path.join(args.o, 'yara-rules_vuln_drivers.yar') + # we write the recommended files to the root folder and other sets to a sub folder named 'other' + output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers)) @@ -373,15 +404,13 @@ def removeNonAsciiDrop(s): with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers_strict)) - output_file = os.path.join(args.o, 'yara-rules_mal_drivers_strict.yar') + output_file = os.path.join(args.o, 'other', 'yara-rules_mal_drivers_strict.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_malicious_drivers_strict), output_file)) fh.write("\n".join(yara_rules_malicious_drivers_strict)) - output_file = os.path.join(args.o, 'yara-rules_vuln_drivers_strict_renamed.yar') + output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers_strict_renamed.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict_renamed), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers_strict_renamed)) # The single rules for each driver output_path_single_rules = os.path.join(args.o, '/single-rules') - - \ No newline at end of file diff --git a/detections/yara/yara-rules_mal_drivers_strict.yar b/detections/yara/other/yara-rules_mal_drivers_strict.yar similarity index 98% rename from detections/yara/yara-rules_mal_drivers_strict.yar rename to detections/yara/other/yara-rules_mal_drivers_strict.yar index 8df1e9111..36f4badf5 100644 --- a/detections/yara/yara-rules_mal_drivers_strict.yar +++ b/detections/yara/other/yara-rules_mal_drivers_strict.yar @@ -1,130 +1,88 @@ -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { +rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6994 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" - hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" - hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" - hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" - hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" - hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" - hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" - hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" - hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" - hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" - hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" - hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" - hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" - hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" - hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" - hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" - hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" - hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" - hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" - hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" - hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" - hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" - hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" - date = "2023-11-02" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" - hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" - hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" - hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" - hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" - hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" - hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" - hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" - hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" - hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" - hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" - hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" - hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" - hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" - hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" - date = "2023-11-02" + hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" + hash = "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d" + hash = "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620" + hash = "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280" + hash = "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d" + hash = "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724" + hash = "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62" + hash = "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f" + hash = "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4" + hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" + hash = "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76" + hash = "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a" + hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" + hash = "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988" + hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" + hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" + hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e0036003800350020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e003600380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* InternalName windbgsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074003f002000570069006e0064006f00770073003f0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* OriginalFilename windbgsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]003f0020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 6600KB and all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" - hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" - hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" - hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" - hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" - hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" - hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" - hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" - hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" - hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" - hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" - hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" - hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" - hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" - hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" - hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" - hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" - hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" - hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" - hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" - hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" - hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" - hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" - hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" - hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" - hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" - hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" - hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" - hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" - hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" - date = "2023-11-02" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -140,118 +98,27 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" - hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" - hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" - hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" - hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" - hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" - hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" - hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" - hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" - hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" - hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" - hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" - hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" - hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" - date = "2023-11-02" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" - hash = "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4" - hash = "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a" - hash = "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280" - hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" - hash = "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f" - hash = "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62" - hash = "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620" - hash = "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76" - hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - hash = "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724" - hash = "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988" - hash = "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d" - hash = "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d" - hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" - hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" - hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-11-02" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e0036003800350020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e003600380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* InternalName windbgsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074003f002000570069006e0064006f00770073003f0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* OriginalFilename windbgsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]003f0020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 6600KB and all of them -} - - -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" - hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" - hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" - hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" - hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" - hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" - hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" - hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" - hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" - hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" - hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" - hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" - hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" - hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" - hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" - hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" - hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" - hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" - hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" - hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" - hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" - hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" - hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" - hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" - hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" - hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" - hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" - hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" - hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" - hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" - hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" - date = "2023-11-02" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -261,32 +128,32 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" - hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" - hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" - hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" - hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" - hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" - hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" - hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" - hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" - date = "2023-11-02" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -302,98 +169,155 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" - hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" - date = "2023-11-02" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" - hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" - hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-11-02" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" - hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" - hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" - date = "2023-11-02" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { +rule MAL_Driver_Sensecorp_42B2 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-11-02" + hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e007400620069006f002e007300790073 } /* InternalName ntbiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020004d006900630072006f0073006f00660074002800520029002000570069006e0064006f0077007300200028005200290020004e00540020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsRNTOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e007400620069006f0073002e007300790073 } /* OriginalFilename ntbiossys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000300033 } /* LegalCopyright C */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 4400KB and all of them } @@ -403,7 +327,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-11-02" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -418,77 +342,103 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { } -rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_B0EB { +rule MAL_Driver_Gmer_Gmersys_Gmer_0052 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-11-02" + hash = "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3" + hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* InternalName ndislansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* OriginalFilename ndislansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-11-02" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Sensecorp_7F45 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-11-02" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: - uint16(0) == 0x5a4d and filesize < 4500KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_C0D8 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios_2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" + hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e007400620069006f002e007300790073 } /* InternalName ntbiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020004d006900630072006f0073006f00660074002800520029002000570069006e0064006f0077007300200028005200290020004e00540020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsRNTOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e007400620069006f0073002e007300790073 } /* OriginalFilename ntbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000300033 } /* LegalCopyright C */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_1485 { +rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_8578 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-11-02" + hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -504,39 +454,71 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem } -rule MAL_Driver_Sensecorp_42B2 { +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7AF { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_6.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-11-02" + hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" + hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" + hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" + hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 4400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" - date = "2023-11-02" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2024-08-07" score = 85 strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -548,7 +530,7 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-11-02" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -564,19 +546,19 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-11-02" + hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ @@ -586,40 +568,59 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 } -rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { +rule MAL_Driver_773B { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-11-02" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule MAL_Driver_773B { +rule MAL_Driver_Sensecorp_7F45 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" - date = "2023-11-02" + hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 4500KB and all of them +} + + +rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_B0EB { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* InternalName ndislansys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* OriginalFilename ndislansys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them } diff --git a/detections/yara/yara-rules_vuln_drivers.yar b/detections/yara/other/yara-rules_vuln_drivers.yar similarity index 94% rename from detections/yara/yara-rules_vuln_drivers.yar rename to detections/yara/other/yara-rules_vuln_drivers.yar index 470f631eb..86bd85a7b 100644 --- a/detections/yara/yara-rules_vuln_drivers.yar +++ b/detections/yara/other/yara-rules_vuln_drivers.yar @@ -1,622 +1,670 @@ -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" - hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" - date = "2023-11-02" + hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" - hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" - date = "2023-11-02" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" - hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" - hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" - hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" - hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" - hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" - hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" - hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" - hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" - hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" - hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" - hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" - hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" - date = "2023-11-02" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" - hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" - hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" - date = "2023-11-02" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { +rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" - hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" - hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" - hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" - hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" - hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-11-02" + hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-11-02" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-11-02" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" - hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-11-02" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: all of them } -rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-11-02" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ - condition: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" - date = "2023-11-02" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-11-02" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" - hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" - hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" - hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-11-02" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: all of them } -rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { +rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" - hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" - hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" - hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" - hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-11-02" + hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" + hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" - hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" - hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" - hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" - hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" - hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" - hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-11-02" + hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" - date = "2023-11-02" + hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" - hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" - hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" - hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-11-02" + hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { +rule PUA_VULN_Driver_Novellinc_Novellxtier_8473 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" - hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" - date = "2023-11-02" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" - date = "2023-11-02" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" - hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" - hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-11-02" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - all of them -} + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" - hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-11-02" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { +rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" - hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" - date = "2023-11-02" + hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" + hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" + hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" - hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-11-02" + hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" + hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" + hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ condition: all of them } -rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-11-02" + hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" + hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-11-02" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-11-02" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { +rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" - hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" - date = "2023-11-02" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ @@ -626,1407 +674,1782 @@ rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-11-02" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" - date = "2023-11-02" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { +rule PUA_VULN_Driver_Netfiltersys_F171 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" - hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" - date = "2023-11-02" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD4F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_7627 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-11-02" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" - hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" - hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-11-02" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { +rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" - hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-11-02" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ condition: all of them } -rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-11-02" + hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" + hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" + hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" + hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" + hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" + hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" + hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" + hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" + hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" + hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" + hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-11-02" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_26EC { +rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" - hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" - date = "2023-11-02" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_442D { +rule PUA_VULN_Driver_Novellinc_Novellxtier_00B3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" - hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" - date = "2023-11-02" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" - hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" - hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" - date = "2023-11-02" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { +rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" - hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" - hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" - hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" - date = "2023-11-02" + hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" + hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { +rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" - hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-11-02" + hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" - hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" - hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" - date = "2023-11-02" + hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Bsmisys_552F { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-11-02" + hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_36B9 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_Def64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" - hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" - hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-11-02" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A855 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" - hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" - date = "2023-11-02" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-11-02" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { +rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-11-02" + hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" - hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" - date = "2023-11-02" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { +rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-11-02" + hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" - hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" - hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" - hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" - hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" - hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" - hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" - hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" - hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" - hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-11-02" + hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: all of them } -rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-11-02" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_D680 { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" - hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" - hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" - hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" - date = "2023-11-02" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_C6A5 { +rule PUA_VULN_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" - hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" - date = "2023-11-02" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" - hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" - hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" - hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" - date = "2023-11-02" + hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" - date = "2023-11-02" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-11-02" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_C0C5 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" - hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" - date = "2023-11-02" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" + hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" + hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" + hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" + hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" + hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" - hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" - hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" - hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" - hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" - date = "2023-11-02" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_5381 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" - hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" - hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" - hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" - hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" - hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" - hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" - hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" - date = "2023-11-02" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { +rule PUA_VULN_Driver_Netfiltersys_26D6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" - date = "2023-11-02" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: all of them } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" - hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" - date = "2023-11-02" + hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" + hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-11-02" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E757 { +rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-11-02" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { +rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" - hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" - hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" - date = "2023-11-02" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ condition: all of them } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" - hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-11-02" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_834A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-11-02" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" - hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" - hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" - hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" - hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" - hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" - hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" - hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-11-02" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-11-02" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-11-02" + hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" - hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" - hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" - hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" - hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" - hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" - hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-11-02" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" - hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" - date = "2023-11-02" + hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" - hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" - hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" - hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" - date = "2023-11-02" + hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-11-02" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" - hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" - date = "2023-11-02" + hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" + hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" + hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Bsmisys_5962 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_C6FE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" + hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" + hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" + hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" + hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" + hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" + hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" + hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" + hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" + hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" + hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" + hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" + hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" + hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" + hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" + hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" + hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" + hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" + hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" + hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" + hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" + hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" + hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" + hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" + hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" + hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" + hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" + hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" + hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" + hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" + hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" + hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" + hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" + hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_F27F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5A66 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" - hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" - hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" - hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" - hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" - hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" - hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" - hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" - hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" - hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" - hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" - hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" - hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" - hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" - hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" - hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" - hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" - hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" - hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" - hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" - hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" - hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" - hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" - hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" - hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" - hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" - hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" - hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" - hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" - hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-11-02" + hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: all of them } -rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_2F8B { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" - hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" - hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" - date = "2023-11-02" + hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { +rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" - hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" - hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" - date = "2023-11-02" + hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ condition: all of them } -rule PUA_VULN_Driver_Netfiltersys_26D6 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" - hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" - hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" - date = "2023-11-02" + hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B832 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" - hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" - date = "2023-11-02" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" - hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" - hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" - hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" - hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" - hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" - hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" - hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" - hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" - hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-11-02" + hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-11-02" + hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" + hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" - date = "2023-11-02" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" - date = "2023-11-02" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { +rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-11-02" + hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: @@ -2034,364 +2457,362 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { } -rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-11-02" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-11-02" + hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" - hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" - hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" - hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" - hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" - date = "2023-11-02" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { +rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" - date = "2023-11-02" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ condition: all of them } -rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-11-02" + hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" + hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" - date = "2023-11-02" + hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" + hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" - hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-11-02" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } -rule PUA_VULN_Driver_Dell_Dbutil_71FE { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-11-02" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rwdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" - hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" - hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" - hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" - hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" - hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" - date = "2023-11-02" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: all of them } -rule PUA_VULN_Driver_Netfiltersys_7FF8 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" - hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" - hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" - date = "2023-11-02" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" - date = "2023-11-02" + hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" + hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { +rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" - hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" - date = "2023-11-02" + hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" + hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-11-02" + hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-11-02" + hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-11-02" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" - date = "2023-11-02" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ @@ -2401,192 +2822,226 @@ rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" - hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" - hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" - hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" - hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-11-02" + hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { +rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-11-02" + hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" + hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" - hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-11-02" + hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" - hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-11-02" + hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-11-02" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" - date = "2023-11-02" + hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" - hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" - hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" - date = "2023-11-02" + hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-11-02" + hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ @@ -2596,753 +3051,718 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } -rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3B71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-11-02" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" - hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" - date = "2023-11-02" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" - hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-11-02" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { +rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" - hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" - date = "2023-11-02" + hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" - hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" - hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" - hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" - hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-11-02" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-11-02" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { +rule PUA_VULN_Driver_Netfiltersys_1265 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" - date = "2023-11-02" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" - hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-11-02" + hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-11-02" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-11-02" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { +rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" - date = "2023-11-02" + hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" + hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" + hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" + hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_A97B { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" - hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" - date = "2023-11-02" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-11-02" + hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { +rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" - date = "2023-11-02" + hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: all of them } -rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_DEFD { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" - hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" - date = "2023-11-02" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { +rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" - date = "2023-11-02" + hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" + hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" + hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" + hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" + hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" + hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-11-02" + hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" - hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" - hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" - date = "2023-11-02" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_0D13 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" - hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" - date = "2023-11-02" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_64DD { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" - hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" - date = "2023-11-02" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-11-02" + hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-11-02" + hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" - hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" - date = "2023-11-02" + hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" - hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-11-02" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { +rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" - date = "2023-11-02" + hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_13AE { +rule PUA_VULN_Driver_3F20 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" - hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" - hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" - hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" - hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" - hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" - date = "2023-11-02" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" - hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" - date = "2023-11-02" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_5A0B { +rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" - hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" - hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" - date = "2023-11-02" + hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { +rule PUA_VULN_Driver_Cn_Computerzsys_6D2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-11-02" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { +rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-11-02" + hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" + hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { +rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" - date = "2023-11-02" + hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" - hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" - date = "2023-11-02" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ @@ -3358,194 +3778,193 @@ rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_9C8E { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" - hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" - date = "2023-11-02" + hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { +rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-11-02" + hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" + hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ condition: all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_A66B { +rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" - hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" - date = "2023-11-02" + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { +rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" - date = "2023-11-02" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-11-02" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_EDBB { +rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" - hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" - date = "2023-11-02" + hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ condition: all of them } -rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-11-02" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_7142 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" - hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" - date = "2023-11-02" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" - date = "2023-11-02" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ @@ -3561,877 +3980,915 @@ rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-11-02" + hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" - date = "2023-11-02" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_EDBB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" + hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-11-02" + hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-11-02" + hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" - hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" - date = "2023-11-02" + hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" - hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" - hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" - hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" - hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" - hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" - hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" - date = "2023-11-02" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" - date = "2023-11-02" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-11-02" + hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { +rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-11-02" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" - hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-11-02" + hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { +rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" - hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-11-02" + hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { +rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-11-02" + hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_903D { +rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" - hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" - date = "2023-11-02" + hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" - hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" - hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" - hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" - date = "2023-11-02" + hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-11-02" + hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" + hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-11-02" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" - date = "2023-11-02" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" - hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" - date = "2023-11-02" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" - hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-11-02" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" - hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" - hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-11-02" + hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-11-02" + hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-11-02" + hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" + hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" + hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-11-02" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-11-02" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-11-02" + hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { +rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" - hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-11-02" + hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" - date = "2023-11-02" + hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-11-02" + hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-11-02" + hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" + hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" - date = "2023-11-02" + hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" + hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" + hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-11-02" + hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: all of them } -rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-11-02" + hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" - hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" - date = "2023-11-02" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Driver_Cn_Computerzsys_A97B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-11-02" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { +rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-11-02" + hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" + hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { +rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-11-02" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" - date = "2023-11-02" + hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" + hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" + hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" - hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" - date = "2023-11-02" + hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } @@ -4443,7 +4900,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4456,981 +4913,1003 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-11-02" + hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" + hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" + hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" + hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" + hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" + hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" + hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" + hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-11-02" + hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - date = "2023-11-02" + hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" - date = "2023-11-02" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { +rule PUA_VULN_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-11-02" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" - date = "2023-11-02" + hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" - date = "2023-11-02" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" - date = "2023-11-02" + hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-11-02" + hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" - hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" - date = "2023-11-02" + hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" + hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" + hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdatetoolkerneldriver_0CF8 { +rule PUA_VULN_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" - hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" - date = "2023-11-02" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" - date = "2023-11-02" + hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" - date = "2023-11-02" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-11-02" + hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdatetoolkerneldriver_0CF8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-11-02" + hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" + hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" - hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-11-02" + hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: all of them } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" - hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" - date = "2023-11-02" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-11-02" + hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { +rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-11-02" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" - hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" - hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" - hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { +rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-11-02" + hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-11-02" + hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" - hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" - hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-11-02" + hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { +rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-11-02" + hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" + hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-11-02" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: all of them } -rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-11-02" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-11-02" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" - date = "2023-11-02" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { +rule PUA_VULN_Driver_Cn_Computerzsys_348D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" - hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" - hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" - hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-11-02" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: all of them } -rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { +rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-11-02" + hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-11-02" + hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" - date = "2023-11-02" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" - date = "2023-11-02" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" - hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-11-02" + hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-11-02" + hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" + hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Netfiltersys_F171 { +rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" - date = "2023-11-02" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-11-02" + hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_F14D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" - hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-11-02" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-11-02" + hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" - hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-11-02" + hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-11-02" + hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-11-02" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_8047 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" - hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" - date = "2023-11-02" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { +rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-11-02" + hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: @@ -5438,3851 +5917,3749 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { } -rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrRapidStartDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" - hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" - hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" - hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" - hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-11-02" + hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" - date = "2023-11-02" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: all of them } -rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" - date = "2023-11-02" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { +rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" - hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" - date = "2023-11-02" + hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" - date = "2023-11-02" + hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" - date = "2023-11-02" + hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" + hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { +rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" - hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" - hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" - date = "2023-11-02" + hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ condition: all of them } -rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-11-02" + hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A153 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-11-02" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-11-02" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-11-02" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-11-02" + hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-11-02" + hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { +rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" - hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" - date = "2023-11-02" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ condition: all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_CAA8 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" - hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-11-02" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-11-02" + hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" - date = "2023-11-02" + hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-11-02" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: all of them } -rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_6C5A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" - date = "2023-11-02" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-11-02" + hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { +rule PUA_VULN_Driver_Cn_Computerzsys_3913 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" - hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" - date = "2023-11-02" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { +rule PUA_VULN_Driver_Cn_Computerzsys_767E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-11-02" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" - date = "2023-11-02" + hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { +rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-11-02" + hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_A34E { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" - hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" - hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" - date = "2023-11-02" + hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-11-02" + hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3C7E { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" - hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-11-02" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" - date = "2023-11-02" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-11-02" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" - date = "2023-11-02" + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-11-02" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_2D83 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" - hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-11-02" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { +rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" - date = "2023-11-02" + hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { +rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-11-02" + hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-11-02" + hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { +rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-11-02" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { +rule PUA_VULN_Driver_Netfiltersys_EDC6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-11-02" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: all of them } -rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { +rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" - hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" - date = "2023-11-02" + hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" - hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" - date = "2023-11-02" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" - hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" - date = "2023-11-02" + hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-11-02" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { +rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" - date = "2023-11-02" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_3933 { +rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" - hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" - date = "2023-11-02" + hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" + hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { +rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-11-02" + hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { +rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" - date = "2023-11-02" + hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" - hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" - date = "2023-11-02" + hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-11-02" + hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" - date = "2023-11-02" + hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-11-02" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { +rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" - date = "2023-11-02" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-11-02" + hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" + date = "2024-08-07" score = 40 strings: - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-11-02" + hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-11-02" + hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" + hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-11-02" + hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" + hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-11-02" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-11-02" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_7553 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" - hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" - date = "2023-11-02" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-11-02" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-11-02" + hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { +rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-11-02" + hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" - hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-11-02" + hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_CDFB { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-11-02" + hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { +rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" - date = "2023-11-02" + hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: all of them } -rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-11-02" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" - hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-11-02" + hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_348D { +rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" - hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" - date = "2023-11-02" + hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-11-02" + hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" - date = "2023-11-02" + hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-11-02" + hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" - hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" - date = "2023-11-02" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-11-02" + hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-11-02" + hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" - date = "2023-11-02" + hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" + hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" - hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" - date = "2023-11-02" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" - date = "2023-11-02" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-11-02" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-11-02" + hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { +rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" - date = "2023-11-02" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-11-02" + hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-11-02" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-11-02" + hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" - date = "2023-11-02" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: all of them } -rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" - date = "2023-11-02" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-11-02" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { +rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-11-02" + hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" - date = "2023-11-02" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" - date = "2023-11-02" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-11-02" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" - date = "2023-11-02" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" - date = "2023-11-02" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" - hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" - date = "2023-11-02" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-11-02" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" - hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" - hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" - date = "2023-11-02" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" - hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" - date = "2023-11-02" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" - date = "2023-11-02" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-11-02" + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-11-02" + hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" - hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-11-02" + hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" - date = "2023-11-02" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-11-02" + hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { +rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-11-02" + hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" - date = "2023-11-02" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-11-02" + hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" - date = "2023-11-02" + hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-11-02" + hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" - date = "2023-11-02" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { +rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-11-02" + hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_3F20 { +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" - date = "2023-11-02" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_837D { +rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" - hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" - date = "2023-11-02" + hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-11-02" + hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-11-02" + hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" + hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" - date = "2023-11-02" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-11-02" + hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-11-02" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { +rule PUA_VULN_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-11-02" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-11-02" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-11-02" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" - date = "2023-11-02" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" - date = "2023-11-02" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" - date = "2023-11-02" + hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" + hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" + hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" + hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" + hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { +rule PUA_VULN_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" - hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" - date = "2023-11-02" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-11-02" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" - date = "2023-11-02" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" - date = "2023-11-02" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-11-02" + hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { +rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" - hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" + hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-11-02" + hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-11-02" + hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" - date = "2023-11-02" + hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" - date = "2023-11-02" + hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B236 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" - hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" - date = "2023-11-02" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-11-02" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { +rule PUA_VULN_Driver_Cn_Computerzsys_DEE3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" - date = "2023-11-02" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-11-02" + hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-11-02" + hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-11-02" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" - hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-11-02" + hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-11-02" + hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" + hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { +rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-11-02" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { +rule PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-11-02" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" - date = "2023-11-02" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" - date = "2023-11-02" + hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" + hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" + hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-11-02" + hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" - date = "2023-11-02" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" - date = "2023-11-02" + hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" - date = "2023-11-02" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" - date = "2023-11-02" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" + hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-11-02" + hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" - date = "2023-11-02" + hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { +rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-11-02" + hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-11-02" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" - date = "2023-11-02" + hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-11-02" + hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" - hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" - date = "2023-11-02" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-11-02" + hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" - date = "2023-11-02" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-11-02" + hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Netfiltersys_79E7 { +rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" - hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" - hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" - date = "2023-11-02" + hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" + date = "2024-08-07" score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + strings: + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-11-02" + hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-11-02" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { +rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-11-02" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" - date = "2023-11-02" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ @@ -9292,485 +9669,479 @@ rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { } -rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-11-02" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-11-02" + hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" - date = "2023-11-02" + hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" - date = "2023-11-02" + hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-11-02" + hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-11-02" + hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" - date = "2023-11-02" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { +rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-11-02" + hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-11-02" + hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { +rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" - date = "2023-11-02" + hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { +rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-11-02" + hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-11-02" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { +rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-11-02" + hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-11-02" + hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-11-02" + hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-11-02" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-11-02" + hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-11-02" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" - date = "2023-11-02" + hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" + hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" - hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" - date = "2023-11-02" + hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" - hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" - date = "2023-11-02" + hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } @@ -9782,7 +10153,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -9798,280 +10169,263 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" - date = "2023-11-02" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-11-02" + hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-11-02" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-11-02" + hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-11-02" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ condition: all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-11-02" + hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-11-02" + hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { +rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" - date = "2023-11-02" + hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" + hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" - date = "2023-11-02" + hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" - date = "2023-11-02" + hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-11-02" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" - date = "2023-11-02" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ @@ -10081,991 +10435,1051 @@ rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-11-02" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { +rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" - date = "2023-11-02" + hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" - date = "2023-11-02" + hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" - date = "2023-11-02" + hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-11-02" + hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-11-02" + hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" + hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" - date = "2023-11-02" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-11-02" + hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-11-02" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { +rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" - date = "2023-11-02" + hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { +rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" - date = "2023-11-02" + hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-11-02" + hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" - date = "2023-11-02" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - date = "2023-11-02" + hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { +rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" - date = "2023-11-02" + hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ condition: all of them } -rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { +rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" - date = "2023-11-02" + hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-11-02" + hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { +rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" - date = "2023-11-02" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ condition: all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" - date = "2023-11-02" + hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { +rule PUA_VULN_Driver_Lowleveldriver_F941 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-11-02" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" - date = "2023-11-02" + hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" - date = "2023-11-02" + hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { +rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-11-02" + hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" + hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-11-02" + hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { +rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-11-02" + hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-11-02" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { +rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" - date = "2023-11-02" + hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_D9A7 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" - hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" - date = "2023-11-02" + hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" + hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: all of them } -rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-11-02" + hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-11-02" + hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { +rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" - date = "2023-11-02" + hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ condition: all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-11-02" + hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-11-02" + hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-11-02" + hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { +rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-11-02" + hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" - date = "2023-11-02" + hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" - date = "2023-11-02" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-11-02" + hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: all of them } -rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-11-02" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-11-02" + hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - date = "2023-11-02" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-11-02" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: all of them } -rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-11-02" + hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-11-02" + hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { +rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-11-02" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: all of them } diff --git a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar similarity index 94% rename from detections/yara/yara-rules_vuln_drivers_strict_renamed.yar rename to detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar index 09fe5684e..366cc0b06 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +++ b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar @@ -1,538 +1,1183 @@ -rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_3867 { +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv/i +} + + +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /LgDataCatcher/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + +rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" + hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i +} + + +rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i +} + + +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8473 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" - hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" - date = "2023-11-02" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpout32/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_4CD8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + +rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" + hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" + hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RwDrv/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" + hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" + hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vmdrv/i +} + + +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" + hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO64I/i +} + + +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i +} + + +rule PUA_VULN_Renamed_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_EC13 { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" - hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" - date = "2023-11-02" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i } -rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { +rule PUA_VULN_Renamed_Driver_Netfiltersys_F171 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" - hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" - hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" - hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" - hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" - hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" - hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" - hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" - hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" - hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" - hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" - hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" - hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" - date = "2023-11-02" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_DD4F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" - hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" - hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" - date = "2023-11-02" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i } -rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_7462 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_7627 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" - hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" - hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" - hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" - hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" - hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-11-02" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 2900KB and all of them and not filename matches /kEvP64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-11-02" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { +rule PUA_VULN_Renamed_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-11-02" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" - hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-11-02" + hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" + hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" + hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" + hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" + hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" + hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" + hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" + hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" + hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" + hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" + hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_BB50 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Dh_Kernel/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" - date = "2023-11-02" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { +rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-11-02" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VdBSv64/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_00B3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" - hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" - hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" - hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-11-02" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } -rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" - hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" - hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" - hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" - hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-11-02" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Agent64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { +rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" - hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" - hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" - hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" - hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" - hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" - hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-11-02" + hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" + hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { +rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" - date = "2023-11-02" + hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwRwDrv/i } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" - hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" - hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" - hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-11-02" + hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" - hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" - date = "2023-11-02" + hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" - date = "2023-11-02" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_A855 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" - hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" - hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-11-02" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" - hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-11-02" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_0FC3 { +rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" - hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Monitor_win10_x64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" - hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-11-02" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } @@ -542,7 +1187,7 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -558,850 +1203,743 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { +rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" - hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" - date = "2023-11-02" + hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i } -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-11-02" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_RCIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i } -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" - date = "2023-11-02" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { +rule PUA_VULN_Renamed_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" - hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" - date = "2023-11-02" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 1900KB and all of them and not filename matches /ACE-BASE/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { +rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-11-02" + hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-11-02" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" - hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" - hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-11-02" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" - hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-11-02" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" + hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" + hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" + hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" + hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" + hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i and not filename matches /amifldrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_C0E7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-11-02" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /ProxyDrv/i } -rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_5381 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-11-02" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /amp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_26EC { +rule PUA_VULN_Renamed_Driver_Netfiltersys_26D6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" - hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" - date = "2023-11-02" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_442D { +rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" - hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" - date = "2023-11-02" + hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" + hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /driver7-x86-withoutdbg/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66A2 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" - hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" - hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" - date = "2023-11-02" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { +rule PUA_VULN_Renamed_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" - hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" - hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" - hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" - date = "2023-11-02" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrvws64/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { +rule PUA_VULN_Renamed_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" - hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-11-02" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /vboxdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" - hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" - hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" - date = "2023-11-02" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /LgDataCatcher/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Bsmisys_552F { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_834A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-11-02" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMIx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_36B9 { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_Def64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" - hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" - hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-11-02" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_Def64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i } -rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" - hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" - date = "2023-11-02" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-11-02" + hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_3867 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" - hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" - date = "2023-11-02" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-11-02" + hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" - hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" - hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" - hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" - hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" - hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" - hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" - hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" - hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" - hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-11-02" + hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i } -rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_D680 { +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" - hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" - hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" - hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" - date = "2023-11-02" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_C6A5 { +rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" - hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" - date = "2023-11-02" + hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" + hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" + hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_I2cIo/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F77F { +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" - hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" - hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" - hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" - date = "2023-11-02" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { +rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" - date = "2023-11-02" + hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mtcBSv64/i } -rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-11-02" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_C0C5 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" - hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" - date = "2023-11-02" + hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_3140 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" - hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" - hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" - hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" - hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" - date = "2023-11-02" + hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" - hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" - hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" - hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" - hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" - hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" - hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" - hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" - date = "2023-11-02" + hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFltX64/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" - date = "2023-11-02" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ @@ -1411,268 +1949,277 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D } -rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" - hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" - date = "2023-11-02" + hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { +rule PUA_VULN_Renamed_Driver_Bsmisys_5962 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-11-02" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LenovoDiagnosticsDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMI/i and not filename matches /BSMIXP64/i } -rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E757 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_C6FE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-11-02" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LHA/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E728 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" - hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" - hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" - date = "2023-11-02" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" - hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-11-02" + hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" + hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" + hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" + hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" + hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" + hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" + hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" + hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" + hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" + hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" + hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" + hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" + hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" + hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" + hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" + hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" + hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" + hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" + hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" + hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" + hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" + hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" + hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" + hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" + hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" + hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" + hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" + hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" + hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" + hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" + hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_I2cIo/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { +rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-11-02" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { +rule PUA_VULN_Renamed_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" - hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" - hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" - hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" - hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" - hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" - hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" - hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-11-02" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /avalueio/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-11-02" + hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" + hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" + hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" + hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Bs_Def/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F27F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-11-02" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" - hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" - hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" - hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" - hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" - hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" - hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-11-02" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2E66 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_5A66 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" - date = "2023-11-02" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -1687,1786 +2234,1795 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2E66 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" - hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" - hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" - hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" - date = "2023-11-02" + hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIOx64/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-11-02" + hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Se64a/i } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" - hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" - date = "2023-11-02" + hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9521 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_F159 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" - hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" - hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" - hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" - hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" - hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" - hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" - hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" - hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" - hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" - hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" - hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" - hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" - hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" - hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" - hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" - hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" - hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" - hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" - hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" - hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" - hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" - hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" - hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" - hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" - hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" - hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" - hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" - hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" - hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-11-02" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_2F8B { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" - hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" - hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" - date = "2023-11-02" + hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hwdetectng/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_4285 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" - hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" - hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" - date = "2023-11-02" + hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" + hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /driver7-x86/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Netfiltersys_26D6 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" - hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" - hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" - date = "2023-11-02" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B832 { +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" - hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" - date = "2023-11-02" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" - hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" - hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" - hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" - hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" - hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" - hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" - hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" - hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" - hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-11-02" + hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-11-02" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { +rule PUA_VULN_Renamed_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" - date = "2023-11-02" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgCoreTemp/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" - date = "2023-11-02" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrv64/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-11-02" + hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" + hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { +rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-11-02" + hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" + hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-11-02" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } -rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" - hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" - hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" - hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" - hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" - date = "2023-11-02" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpout32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" - date = "2023-11-02" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i } -rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-11-02" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /superbmc/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" - date = "2023-11-02" + hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" + hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_DD2F { +rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" - hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-11-02" + hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" + hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Dh_Kernel_10/i } -rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-11-02" + hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DBUtilDrv2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rwdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" - hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" - hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" - hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" - hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" - hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" - date = "2023-11-02" + hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rwdrv/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Netfiltersys_7FF8 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" - hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" - hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" - date = "2023-11-02" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /wnbios/i } -rule PUA_VULN_Renamed_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" - date = "2023-11-02" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ecsiodriverx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" - hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" - date = "2023-11-02" + hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { +rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-11-02" + hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" + hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i } -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-11-02" + hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-11-02" + hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { +rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" - date = "2023-11-02" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_E502 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" - hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" - hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" - hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" - hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-11-02" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-11-02" + hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo11X64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" - hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-11-02" + hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" - hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-11-02" + hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NalDrv/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-11-02" + hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_C190 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_3B71 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" - date = "2023-11-02" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" - hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" - hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-11-02" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } -rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-11-02" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysDrv3S/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } -rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { +rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-11-02" + hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /amsdk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /etdsupp/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" - hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" - date = "2023-11-02" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" - hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-11-02" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { +rule PUA_VULN_Renamed_Driver_Netfiltersys_1265 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" - hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" - date = "2023-11-02" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" - hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" - hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" - hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" - hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-11-02" + hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-11-02" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" - date = "2023-11-02" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { +rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" - hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-11-02" + hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" + hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" + hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" + hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Agent64/i } -rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_FA77 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-11-02" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-11-02" + hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_003E { +rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" - date = "2023-11-02" + hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_A97B { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" - hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" - date = "2023-11-02" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { +rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" + hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" + hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" + hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" + hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" + hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrIbDrv/i } -rule PUA_VULN_Renamed_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" - date = "2023-11-02" + hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SMARTEIO64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Avaluetechnologyinc_Avalueio_Avalueio_DEFD { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" - hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" - date = "2023-11-02" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /avalueio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" - date = "2023-11-02" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_468B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-11-02" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_653F { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" - hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" - hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" - date = "2023-11-02" + hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_0D13 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" - hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" - date = "2023-11-02" + hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_64DD { +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" - hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" - date = "2023-11-02" + hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFlt/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-11-02" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { +rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-11-02" + hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 800KB and all of them and not filename matches /PCHunter/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LenovoDiagnosticsDriver/i } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { +rule PUA_VULN_Renamed_Driver_3F20 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" - hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" - date = "2023-11-02" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 700KB and all of them and not filename matches /pchunter/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { +rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" - hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-11-02" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { +rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" - date = "2023-11-02" + hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DBUtilDrv2/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_13AE { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_6D2C { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" - hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" - hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" - hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" - hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" - hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" - date = "2023-11-02" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { +rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" - hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" - date = "2023-11-02" + hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" + hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_5A0B { +rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" - hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" - hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" - date = "2023-11-02" + hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /asmmap64/i } -rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-11-02" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-11-02" + hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { +rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" - date = "2023-11-02" + hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" + hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LHA/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { +rule PUA_VULN_Renamed_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" - hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" - hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" - hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" - date = "2023-11-02" + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ecsiodriverx64/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_8D33 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_C586 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LMIinfo/i } -rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_9C8E { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" - hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" - date = "2023-11-02" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-11-02" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CupFixerx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_A66B { +rule PUA_VULN_Renamed_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" - hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" - date = "2023-11-02" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrSetupDrv103/i } -rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" - date = "2023-11-02" + hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-11-02" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i } @@ -3477,7 +4033,7 @@ rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemser reference = "https://github.com/magicsword-io/LOLDrivers" hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ @@ -3493,1187 +4049,1187 @@ rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemser } -rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_7142 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" - hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" - date = "2023-11-02" + hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" - hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" - date = "2023-11-02" + hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrSetupDrv103/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-11-02" + hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1493 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" - date = "2023-11-02" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { +rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_7C0F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-11-02" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 2900KB and all of them and not filename matches /kEvP64/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-11-02" + hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_BC45 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" - hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" - date = "2023-11-02" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" - hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" - hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" - hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" - hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" - hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" - hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" - date = "2023-11-02" + hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { +rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" - date = "2023-11-02" + hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /wsdkd/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HOSTNT/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { +rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-11-02" + hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo11X64/i } -rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-11-02" + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6B71 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" - hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-11-02" + hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" - hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-11-02" + hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HW/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-11-02" + hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" + hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" - date = "2023-11-02" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_903D { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" - hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" - date = "2023-11-02" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" - hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" - hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" - hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" - date = "2023-11-02" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-11-02" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i } -rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-11-02" + hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 1000KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" - date = "2023-11-02" + hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_898E { +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" - hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" - date = "2023-11-02" + hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" + hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" + hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" - hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-11-02" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1493 { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_71C0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" - hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" - hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-11-02" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-11-02" + hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /speedfan/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { +rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-11-02" + hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-11-02" + hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-11-02" + hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-11-02" + hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" + hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { +rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" - hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-11-02" + hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" + hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" + hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { +rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" - date = "2023-11-02" + hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-11-02" + hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Se64a/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-11-02" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_A97B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" - date = "2023-11-02" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-11-02" + hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" + hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { +rule PUA_VULN_Renamed_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-11-02" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i } -rule PUA_VULN_Renamed_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" - hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" - date = "2023-11-02" + hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" + hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" + hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-11-02" + hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-11-02" + hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-11-02" + hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" + hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" + hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" + hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" + hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" + hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" + hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" + hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FairplayKD/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" - date = "2023-11-02" + hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F629 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" - hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" - date = "2023-11-02" + hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-11-02" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-11-02" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /fildds/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-11-02" + hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - date = "2023-11-02" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" - date = "2023-11-02" + hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-11-02" + hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo10X64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" - date = "2023-11-02" + hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" + hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" + hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { +rule PUA_VULN_Renamed_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" - date = "2023-11-02" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv_1_0_32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cg6kwin2k/i } -rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" - date = "2023-11-02" + hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-11-02" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i } -rule PUA_VULN_Renamed_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" - hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" - date = "2023-11-02" + hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CupFixerx64/i } @@ -4684,7 +5240,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdelive reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ @@ -4700,41 +5256,41 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdelive } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" - date = "2023-11-02" + hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" - date = "2023-11-02" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ @@ -4744,693 +5300,616 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87 } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" - hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" - hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" - date = "2023-11-02" + hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_00D9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-11-02" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /phymem64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-11-02" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /physmem/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_D04C { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" - hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" - hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" - hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" - date = "2023-11-02" + hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IOMap64/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-11-02" + hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-11-02" + hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" - hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" - hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-11-02" + hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" + hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ncpl/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i } -rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-11-02" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i } -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { +rule PUA_VULN_Renamed_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-11-02" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /titidrv/i } -rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-11-02" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-11-02" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_348D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" - date = "2023-11-02" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { +rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" - hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" - hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" - hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-11-02" + hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i } -rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-11-02" + hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwOs2Ec10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { +rule PUA_VULN_Renamed_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-11-02" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SMARTEIO64/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" - date = "2023-11-02" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" - date = "2023-11-02" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" - hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-11-02" + hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-11-02" + hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" + hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Netfiltersys_F171 { +rule PUA_VULN_Renamed_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" - date = "2023-11-02" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiRwaDrv/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-11-02" + hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_F14D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" - hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-11-02" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-11-02" + hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" - hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-11-02" + hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-11-02" + hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-11-02" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atlAccess/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_8047 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" - hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" - date = "2023-11-02" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-11-02" + hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: @@ -5438,3851 +5917,3749 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { } -rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrRapidStartDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" - hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" - hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" - hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" - hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-11-02" + hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrRapidStartDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" - date = "2023-11-02" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxMouseNT/i } -rule PUA_VULN_Renamed_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" - date = "2023-11-02" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysInfoDetectorX64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_8D33 { +rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" - hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" - date = "2023-11-02" + hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" - date = "2023-11-02" + hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" - date = "2023-11-02" + hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" + hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { +rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" - hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" - hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" - date = "2023-11-02" + hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FairplayKD/i } -rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-11-02" + hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 600KB and all of them and not filename matches /Lv561av/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_A153 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-11-02" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_3F36 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-11-02" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-11-02" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-11-02" + hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { +rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-11-02" + hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFltX64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_C586 { +rule PUA_VULN_Renamed_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" - hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" - date = "2023-11-02" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_CAA8 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" - hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-11-02" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-11-02" + hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /speedfan/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { +rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" - date = "2023-11-02" + hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i } -rule PUA_VULN_Renamed_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C5A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" - date = "2023-11-02" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-11-02" + hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_BC45 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_3913 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" - hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" - date = "2023-11-02" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_767E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-11-02" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-11-02" + hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { +rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-11-02" + hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /otipcibus/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_A34E { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" - hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" - hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" - date = "2023-11-02" + hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { +rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-11-02" + hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3C7E { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" - hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-11-02" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" - date = "2023-11-02" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-11-02" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_0368 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" - date = "2023-11-02" + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-11-02" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvaudio/i } -rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_2D83 { +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" - hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-11-02" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpoutx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { +rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" - date = "2023-11-02" + hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { +rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-11-02" + hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 800KB and all of them and not filename matches /PCHunter/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-11-02" + hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-11-02" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { +rule PUA_VULN_Renamed_Driver_Netfiltersys_EDC6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-11-02" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } -rule PUA_VULN_Renamed_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" - hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" - date = "2023-11-02" + hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" - hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" - date = "2023-11-02" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" - hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" - date = "2023-11-02" + hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-11-02" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { +rule PUA_VULN_Renamed_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" - date = "2023-11-02" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiRwaDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /wsdkd/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_3933 { +rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" - hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" - date = "2023-11-02" + hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" + hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwOs2Ec7x64/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { +rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-11-02" + hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" - date = "2023-11-02" + hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66F8 { +rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" - hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" - date = "2023-11-02" + hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-11-02" + hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" - date = "2023-11-02" + hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-11-02" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { +rule PUA_VULN_Renamed_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" - date = "2023-11-02" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iscflashx64/i } -rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-11-02" + hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" + date = "2024-08-07" score = 70 strings: - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ADV64DRV/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { +rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-11-02" + hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-11-02" + hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" + hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /vboxdrv/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { +rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-11-02" + hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" + hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFlt/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-11-02" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-11-02" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_3F36 { +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_7553 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" - hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" - date = "2023-11-02" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { +rule PUA_VULN_Renamed_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-11-02" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Monitor_win10_x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-11-02" + hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-11-02" + hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" - hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-11-02" + hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswVmm/i +} + + +rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vmdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_CDFB { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-11-02" + hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { +rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-11-02" + hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo10X64/i } -rule PUA_VULN_Renamed_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" - date = "2023-11-02" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-11-02" + hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /otipcibus/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" - hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-11-02" + hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_348D { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" - hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" - date = "2023-11-02" + hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-11-02" + hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" - date = "2023-11-02" + hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-11-02" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" - hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" - date = "2023-11-02" + hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-11-02" + hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WCPU/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-11-02" + hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" + hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" - date = "2023-11-02" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_468B { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6CF1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" - hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" - date = "2023-11-02" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" - date = "2023-11-02" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-11-02" + hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { +rule PUA_VULN_Renamed_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-11-02" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysInfoDetectorX64/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" - date = "2023-11-02" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-11-02" + hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /etdsupp/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-11-02" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /asmmap64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { +rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-11-02" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-11-02" + hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i } -rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" - date = "2023-11-02" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VdBSv64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" - date = "2023-11-02" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrvws64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { +rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-11-02" + hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /amsdk/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-11-02" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" - date = "2023-11-02" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" - date = "2023-11-02" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO64I/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-11-02" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" - date = "2023-11-02" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" - date = "2023-11-02" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E89C { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" - hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" - date = "2023-11-02" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-11-02" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDPowerProfiler/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_898E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" - hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" - hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" - date = "2023-11-02" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" - hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" - date = "2023-11-02" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIOx64/i -} - - -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" - date = "2023-11-02" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-11-02" + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { +rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-11-02" + hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_HWMIO64_W10/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i } -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" - hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-11-02" + hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" - date = "2023-11-02" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-11-02" + hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswVmm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { +rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-11-02" + hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /physmem/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" - date = "2023-11-02" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-11-02" + hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" - date = "2023-11-02" + hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-11-02" + hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6CF1 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F629 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" - date = "2023-11-02" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { +rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-11-02" + hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /amp/i } -rule PUA_VULN_Renamed_Driver_3F20 { +rule PUA_VULN_Renamed_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" - date = "2023-11-02" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 700KB and all of them and not filename matches /pchunter/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgDCatcher/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_837D { +rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" - hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" - date = "2023-11-02" + hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /superbmc/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-11-02" + hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-11-02" + hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" + hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" - date = "2023-11-02" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-11-02" + hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-11-02" + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-11-02" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-11-02" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 900KB and all of them and not filename matches /filnk/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-11-02" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-11-02" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66F8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" - date = "2023-11-02" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" - date = "2023-11-02" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" - date = "2023-11-02" + hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" + hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" + hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" + hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" + hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_FA77 { +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" - hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" - date = "2023-11-02" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /filwfp/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-11-02" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv_1_0_32/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" - date = "2023-11-02" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" - date = "2023-11-02" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-11-02" + hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" - hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-11-02" + hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" + hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-11-02" + hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { +rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" - date = "2023-11-02" + hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" - date = "2023-11-02" + hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrv64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B236 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" - hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" - date = "2023-11-02" + hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-11-02" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HOSTNT/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_0B20 { +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" - date = "2023-11-02" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ProxyDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_DEE3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-11-02" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-11-02" + hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-11-02" + hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-11-02" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" - hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" - date = "2023-11-02" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { +rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-11-02" + hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_RCIO64/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-11-02" + hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" + hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i and not filename matches /amifldrv/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { +rule PUA_VULN_Renamed_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-11-02" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hwdetectng/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { +rule PUA_VULN_Renamed_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-11-02" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /truesight/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" - date = "2023-11-02" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { +rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" - date = "2023-11-02" + hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" + hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" + hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgCoreTemp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpoutx64/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-11-02" + hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" - date = "2023-11-02" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_7A2C { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" - date = "2023-11-02" + hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_CA34 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" - date = "2023-11-02" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" - date = "2023-11-02" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { +rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-11-02" + hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" + hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-11-02" + hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" - date = "2023-11-02" + hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { +rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-11-02" + hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-11-02" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_00D9 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" - date = "2023-11-02" + hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-11-02" + hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" - hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i -} - - -rule PUA_VULN_Renamed_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" - date = "2023-11-02" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /titidrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-11-02" + hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" - date = "2023-11-02" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i } -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-11-02" + hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Netfiltersys_79E7 { +rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" - hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" - hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" - date = "2023-11-02" + hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ADV64DRV/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-11-02" + hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-11-02" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { +rule PUA_VULN_Renamed_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-11-02" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" - date = "2023-11-02" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ @@ -9292,487 +9669,481 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-11-02" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-11-02" + hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-11-02" + hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" - date = "2023-11-02" + hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDPowerProfiler/i } -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" - date = "2023-11-02" + hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-11-02" + hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_7A2C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-11-02" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" - date = "2023-11-02" + hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-11-02" + hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-11-02" + hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { +rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" - date = "2023-11-02" + hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 600KB and all of them and not filename matches /Lv561av/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-11-02" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { +rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-11-02" + hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-11-02" + hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-11-02" + hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-11-02" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-11-02" + hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-11-02" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-11-02" + hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" + hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iqvw64e/i and not filename matches /iQVW64/i and not filename matches /NalDrv/i } -rule PUA_VULN_Renamed_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" - date = "2023-11-02" + hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iscflashx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_0368 { +rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" - hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" - date = "2023-11-02" + hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1E9C { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" - hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" - date = "2023-11-02" + hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } @@ -9782,7 +10153,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -9798,280 +10169,263 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-11-02" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz_x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-11-02" + hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-11-02" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i } -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-11-02" + hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WCPU/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_0B20 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-11-02" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ProxyDrv/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-11-02" + hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" - date = "2023-11-02" + hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { +rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" - date = "2023-11-02" + hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" + hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HW/i } -rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" - date = "2023-11-02" + hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-11-02" + hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" - date = "2023-11-02" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ @@ -10081,767 +10435,762 @@ rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-11-02" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { +rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" - date = "2023-11-02" + hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxMouseNT/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvflash/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" - date = "2023-11-02" + hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_C0E7 { +rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" - date = "2023-11-02" + hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /ProxyDrv/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-11-02" + hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-11-02" + hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" + hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" - date = "2023-11-02" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i } -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-11-02" + hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-11-02" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" - date = "2023-11-02" + hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { +rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" - date = "2023-11-02" + hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VProEventMonitor/i } -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { +rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-11-02" + hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i } -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" - date = "2023-11-02" + hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - date = "2023-11-02" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_CA34 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" - date = "2023-11-02" + hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i } -rule PUA_VULN_Renamed_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { +rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" - date = "2023-11-02" + hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsmIo64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { +rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-11-02" + hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysDrv3S/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" - date = "2023-11-02" + hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { +rule PUA_VULN_Renamed_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" - date = "2023-11-02" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i } -rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-11-02" + hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VProEventMonitor/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz_x64/i } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { +rule PUA_VULN_Renamed_Driver_Lowleveldriver_F941 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" - date = "2023-11-02" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GPU-Z/i } -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" - date = "2023-11-02" + hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { +rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-11-02" + hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i } -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-11-02" + hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" + hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-11-02" + hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwRwDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { +rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-11-02" + hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" - date = "2023-11-02" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_D9A7 { +rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" - hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" - date = "2023-11-02" + hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /phymem64/i } -rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-11-02" + hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" + hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LMIinfo/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { +rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-11-02" + hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" - date = "2023-11-02" + hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { +rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-11-02" + hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IOMap64/i + uint16(0) == 0x5a4d and filesize < 1000KB and all of them and not filename matches /VBoxDrv/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-11-02" + hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-11-02" + hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-11-02" + hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ @@ -10851,221 +11200,286 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } -rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { +rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" - date = "2023-11-02" + hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" - date = "2023-11-02" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { +rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-11-02" + hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_HWMIO64_W10/i } -rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-11-02" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvflash/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-11-02" + hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i } -rule PUA_VULN_Renamed_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - date = "2023-11-02" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgDCatcher/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i } -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-11-02" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i } -rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-11-02" + hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mtcBSv64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-11-02" + hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { +rule PUA_VULN_Renamed_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-11-02" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsmIo64/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } diff --git a/detections/yara/yara-rules_mal_drivers.yar b/detections/yara/yara-rules_mal_drivers.yar index 56d05287a..c7c0d1052 100644 --- a/detections/yara/yara-rules_mal_drivers.yar +++ b/detections/yara/yara-rules_mal_drivers.yar @@ -1,130 +1,88 @@ -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { +rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6994 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" - hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" - hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" - hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" - hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" - hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" - hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" - hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" - hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" - hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" - hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" - hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" - hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" - hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" - hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" - hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" - hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" - hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" - hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" - hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" - hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" - hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" - hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - all of them -} - - -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" - hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" - hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" - hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" - hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" - hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" - hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" - hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" - hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" - hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" - hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" - hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" - hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" - hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" - hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" - date = "2023-11-02" + hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" + hash = "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d" + hash = "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620" + hash = "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280" + hash = "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d" + hash = "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724" + hash = "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62" + hash = "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f" + hash = "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4" + hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" + hash = "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76" + hash = "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a" + hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" + hash = "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988" + hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" + hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" + hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e0036003800350020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e003600380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* InternalName windbgsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074003f002000570069006e0064006f00770073003f0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* OriginalFilename windbgsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]003f0020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" - hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" - hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" - hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" - hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" - hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" - hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" - hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" - hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" - hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" - hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" - hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" - hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" - hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" - hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" - hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" - hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" - hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" - hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" - hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" - hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" - hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" - hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" - hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" - hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" - hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" - hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" - hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" - hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" - hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" - date = "2023-11-02" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -140,118 +98,27 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" - hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" - hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" - hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" - hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" - hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" - hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" - hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" - hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" - hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" - hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" - hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" - hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" - hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - all of them -} - - -rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" - hash = "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4" - hash = "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a" - hash = "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280" - hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" - hash = "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f" - hash = "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62" - hash = "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620" - hash = "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76" - hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - hash = "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724" - hash = "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988" - hash = "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d" - hash = "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d" - hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" - hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" - hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-11-02" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e0036003800350020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310039003000340031002e003600380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* InternalName windbgsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074003f002000570069006e0064006f00770073003f0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770069006e006400620067002e007300790073 } /* OriginalFilename windbgsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]003f0020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" - hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" - hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" - hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" - hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" - hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" - hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" - hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" - hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" - hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" - hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" - hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" - hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" - hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" - hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" - hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" - hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" - hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" - hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" - hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" - hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" - hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" - hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" - hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" - hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" - hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" - hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" - hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" - hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" - hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" - hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" - date = "2023-11-02" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -261,32 +128,32 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" - hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" - hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" - hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" - hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" - hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" - hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" - hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" - hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" - date = "2023-11-02" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -302,96 +169,153 @@ rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" - hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" - date = "2023-11-02" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" - hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" - hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-11-02" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" - hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" - hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" - date = "2023-11-02" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } -rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { +rule MAL_Driver_Sensecorp_42B2 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-11-02" + hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e007400620069006f002e007300790073 } /* InternalName ntbiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020004d006900630072006f0073006f00660074002800520029002000570069006e0064006f0077007300200028005200290020004e00540020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsRNTOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e007400620069006f0073002e007300790073 } /* OriginalFilename ntbiossys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000300033 } /* LegalCopyright C */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: all of them } @@ -403,7 +327,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -418,77 +342,103 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { } -rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_B0EB { +rule MAL_Driver_Gmer_Gmersys_Gmer_0052 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-11-02" + hash = "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3" + hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* InternalName ndislansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* OriginalFilename ndislansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ condition: all of them } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-11-02" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } -rule MAL_Driver_Sensecorp_7F45 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-11-02" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_C0D8 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios_2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" + hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200032002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e007400620069006f002e007300790073 } /* InternalName ntbiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020004d006900630072006f0073006f00660074002800520029002000570069006e0064006f0077007300200028005200290020004e00540020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsRNTOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e007400620069006f0073002e007300790073 } /* OriginalFilename ntbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000300033 } /* LegalCopyright C */ condition: all of them } -rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_1485 { +rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_8578 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-11-02" + hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -504,39 +454,71 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem } -rule MAL_Driver_Sensecorp_42B2 { +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7AF { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_6.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-11-02" + hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" + hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" + hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" + hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003100370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } -rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" - date = "2023-11-02" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2024-08-07" score = 70 strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } @@ -548,7 +530,7 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-11-02" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -564,19 +546,19 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { +rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-11-02" + hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003900330038 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e003900330038 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* InternalName wantdsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f00660074002000570069006e0064006f007700730020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00770061006e00740064002e007300790073 } /* OriginalFilename wantdsys */ @@ -586,40 +568,59 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 } -rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { +rule MAL_Driver_773B { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-11-02" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ condition: all of them } -rule MAL_Driver_773B { +rule MAL_Driver_Sensecorp_7F45 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" - date = "2023-11-02" + hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530065006e00730065003500200043004f00520050 } /* CompanyName SenseCORP */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0036002e0030002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_B0EB { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e0031003400320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* InternalName ndislansys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e006400690073006c0061006e002e007300790073 } /* OriginalFilename ndislansys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: all of them } diff --git a/detections/yara/yara-rules_vuln_drivers_strict.yar b/detections/yara/yara-rules_vuln_drivers_strict.yar index 694aa9a62..8a59841a7 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict.yar @@ -1,622 +1,670 @@ -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" - hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" - date = "2023-11-02" + hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" - hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" - date = "2023-11-02" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" - hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" - hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" - hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" - hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" - hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" - hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" - hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" - hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" - hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" - hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" - hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" - hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" - date = "2023-11-02" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" - hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" - hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" - date = "2023-11-02" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { +rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" - hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" - hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" - hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" - hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" - hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-11-02" + hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 2900KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-11-02" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-11-02" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" - hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-11-02" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-11-02" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" - date = "2023-11-02" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-11-02" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" - hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" - hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" - hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-11-02" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { +rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" - hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" - hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" - hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" - hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-11-02" + hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" + hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" - hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" - hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" - hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" - hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" - hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" - hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-11-02" + hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" - date = "2023-11-02" + hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" - hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" - hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" - hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-11-02" + hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { +rule PUA_VULN_Driver_Novellinc_Novellxtier_8473 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" - hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" - date = "2023-11-02" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" - date = "2023-11-02" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" - hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" - hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-11-02" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" - hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-11-02" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { +rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" - hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" - date = "2023-11-02" + hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" + hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" + hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" - hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-11-02" + hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" + hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" + hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-11-02" + hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" + hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-11-02" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-11-02" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { +rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" - hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" - date = "2023-11-02" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ @@ -626,1053 +674,1552 @@ rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-11-02" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" - date = "2023-11-02" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { +rule PUA_VULN_Driver_Netfiltersys_F171 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" - hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" - date = "2023-11-02" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD4F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-11-02" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_7627 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-11-02" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" - hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" - hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-11-02" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { +rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" - hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-11-02" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-11-02" + hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" + hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" + hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" + hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" + hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" + hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" + hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" + hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" + hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" + hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" + hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-11-02" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_26EC { +rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" - hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" - date = "2023-11-02" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_442D { +rule PUA_VULN_Driver_Novellinc_Novellxtier_00B3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" - hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" - date = "2023-11-02" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" - hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" - hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" - date = "2023-11-02" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { +rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" - hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" - hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" - hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" - date = "2023-11-02" + hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" + hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { +rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" - hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-11-02" + hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" - hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" - hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" - date = "2023-11-02" + hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Bsmisys_552F { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-11-02" + hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_36B9 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_Def64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" - hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" - hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-11-02" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A855 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" - hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" - date = "2023-11-02" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-11-02" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { +rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-11-02" + hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" - hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" - date = "2023-11-02" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { +rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-11-02" + hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" - hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" - hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" - hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" - hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" - hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" - hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" - hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" - hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" - hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-11-02" + hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-11-02" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_D680 { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" - hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" - hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" - hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" - date = "2023-11-02" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_C6A5 { +rule PUA_VULN_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" - hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" - date = "2023-11-02" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 1900KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" - hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" - hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" - hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" - date = "2023-11-02" + hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" - date = "2023-11-02" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-11-02" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_C0C5 { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" - hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" - date = "2023-11-02" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" + hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" + hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" + hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" + hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" + hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" - hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" - hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" - hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" - hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" - date = "2023-11-02" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5381 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { +rule PUA_VULN_Driver_Netfiltersys_26D6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" - hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" - hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" - hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" - hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" - hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" - hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" - hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" - date = "2023-11-02" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { +rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" + hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" - hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" - date = "2023-11-02" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { +rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-11-02" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E757 { +rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-11-02" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" - hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" - hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" - date = "2023-11-02" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { +rule PUA_VULN_Driver_Novellinc_Novellxtier_834A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" - hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-11-02" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-11-02" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" - hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" - hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" - hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" - hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" - hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" - hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" - hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-11-02" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-11-02" + hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-11-02" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" - hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" - hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" - hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" - hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" - hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" - hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-11-02" + hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" + hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" + hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Bsmisys_5962 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_C6FE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" + hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" + hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" + hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" + hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" + hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" + hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" + hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" + hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" + hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" + hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" + hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" + hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" + hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" + hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" + hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" + hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" + hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" + hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" + hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" + hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" + hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" + hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" + hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" + hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" + hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" + hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" + hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" + hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" + hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" + hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" + hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" + hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" + hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_F27F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_5A66 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" - date = "2023-11-02" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -1687,1786 +2234,1795 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" - hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" - hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" - hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" - date = "2023-11-02" + hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-11-02" + hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { +rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" - hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" - date = "2023-11-02" + hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" - hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" - hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" - hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" - hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" - hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" - hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" - hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" - hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" - hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" - hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" - hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" - hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" - hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" - hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" - hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" - hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" - hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" - hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" - hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" - hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" - hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" - hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" - hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" - hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" - hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" - hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" - hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" - hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" - hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-11-02" + hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" + hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 500KB and all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_2F8B { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" - hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" - hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" - date = "2023-11-02" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { +rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" - hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" - hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" - date = "2023-11-02" + hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Netfiltersys_26D6 { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" - hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" - hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" - date = "2023-11-02" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B832 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" - hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" - date = "2023-11-02" + hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" - hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" - hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" - hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" - hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" - hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" - hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" - hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" - hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" - hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-11-02" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { +rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-11-02" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" - date = "2023-11-02" + hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" + hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" - date = "2023-11-02" + hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" + hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-11-02" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-11-02" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-11-02" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" - hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" - hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" - hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" - hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" - date = "2023-11-02" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" - date = "2023-11-02" + hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" + hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 500KB and all of them } -rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { +rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-11-02" + hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" + hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" - date = "2023-11-02" + hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" - hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-11-02" + hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Dell_Dbutil_71FE { +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-11-02" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rwdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" - hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" - hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" - hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" - hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" - hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" - date = "2023-11-02" + hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Netfiltersys_7FF8 { +rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" - hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" - hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" - date = "2023-11-02" + hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" + hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" - date = "2023-11-02" + hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" - hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" - date = "2023-11-02" + hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-11-02" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-11-02" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-11-02" + hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" - hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" - hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" - hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" - hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-11-02" + hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-11-02" + hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" - hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-11-02" + hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3B71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" - hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-11-02" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-11-02" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" - date = "2023-11-02" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { +rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" - hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" - hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" - date = "2023-11-02" + hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-11-02" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-11-02" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { +rule PUA_VULN_Driver_Netfiltersys_1265 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-11-02" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" - hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" - date = "2023-11-02" + hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" - hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-11-02" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" - hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" - date = "2023-11-02" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { +rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" - hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" - hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" - hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" - hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-11-02" + hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" + hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" + hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" + hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-11-02" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" - date = "2023-11-02" + hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { +rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" - hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-11-02" + hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-11-02" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { +rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-11-02" + hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" + hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" + hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" + hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" + hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" + hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" - date = "2023-11-02" + hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_A97B { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" - hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" - date = "2023-11-02" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-11-02" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" - date = "2023-11-02" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_DEFD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" - hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" - date = "2023-11-02" + hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" - date = "2023-11-02" + hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-11-02" + hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" - hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" - hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" - date = "2023-11-02" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_0D13 { +rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" - hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" - date = "2023-11-02" + hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_64DD { +rule PUA_VULN_Driver_3F20 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" - hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" - date = "2023-11-02" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 700KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-11-02" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { +rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-11-02" + hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 800KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { +rule PUA_VULN_Driver_Cn_Computerzsys_6D2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" - hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" - date = "2023-11-02" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { +rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" - hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-11-02" + hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" + hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { +rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" - date = "2023-11-02" + hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_13AE { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" - hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" - hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" - hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" - hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" - hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" - date = "2023-11-02" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" - hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" - date = "2023-11-02" + hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_5A0B { +rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" - hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" - hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" - date = "2023-11-02" + hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" + hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { +rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { +rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-11-02" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" - date = "2023-11-02" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { +rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" - hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" - hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" - hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" - date = "2023-11-02" + hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_9C8E { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" - hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" - date = "2023-11-02" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-11-02" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_A66B { +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" - hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" - date = "2023-11-02" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" - date = "2023-11-02" + hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-11-02" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3477,7 +4033,7 @@ rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprov reference = "https://github.com/magicsword-io/LOLDrivers" hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ @@ -3493,1185 +4049,1185 @@ rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprov } -rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_7142 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" - hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" - date = "2023-11-02" + hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" - hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" - date = "2023-11-02" + hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-11-02" + hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" - date = "2023-11-02" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-11-02" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 2900KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-11-02" + hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { +rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" - hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" - date = "2023-11-02" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" - hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" - hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" - hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" - hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" - hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" - hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" - date = "2023-11-02" + hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { +rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" - date = "2023-11-02" + hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { +rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-11-02" + hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-11-02" + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { +rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" - hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-11-02" + hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" - hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-11-02" + hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-11-02" + hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" + hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" - date = "2023-11-02" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_903D { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" - hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" - date = "2023-11-02" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" - hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" - hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" - hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" - date = "2023-11-02" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-11-02" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-11-02" + hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 1000KB and all of them + uint16(0) == 0x5a4d and filesize < 500KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" - date = "2023-11-02" + hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" - hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" - date = "2023-11-02" + hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" + hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" + hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" - hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-11-02" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" - hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" - hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-11-02" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-11-02" + hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { +rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-11-02" + hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-11-02" + hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-11-02" + hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-11-02" + hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" + hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" - hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-11-02" + hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" + hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" + hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" - date = "2023-11-02" + hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-11-02" + hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-11-02" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { +rule PUA_VULN_Driver_Cn_Computerzsys_A97B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" - date = "2023-11-02" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { +rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-11-02" + hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" + hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { +rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-11-02" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" - hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" - date = "2023-11-02" + hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" + hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" + hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-11-02" + hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { +rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-11-02" + hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-11-02" + hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" + hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" + hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" + hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" + hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" + hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" + hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" + hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" - date = "2023-11-02" + hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" - hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" - date = "2023-11-02" + hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-11-02" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { +rule PUA_VULN_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-11-02" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-11-02" + hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" - date = "2023-11-02" + hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-11-02" + hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" - date = "2023-11-02" + hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" + hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" + hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { +rule PUA_VULN_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" - date = "2023-11-02" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" - date = "2023-11-02" + hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-11-02" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" - hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" - date = "2023-11-02" + hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -4684,7 +5240,7 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwa reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ @@ -4700,41 +5256,41 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwa } -rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" - date = "2023-11-02" + hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" - date = "2023-11-02" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ @@ -4744,693 +5300,616 @@ rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" - hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" - hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" - date = "2023-11-02" + hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { +rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-11-02" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-11-02" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { +rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" - hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" - hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" - hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" - date = "2023-11-02" + hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-11-02" + hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-11-02" + hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" - hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" - hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-11-02" + hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" + hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-11-02" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-11-02" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-11-02" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-11-02" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { +rule PUA_VULN_Driver_Cn_Computerzsys_348D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" - date = "2023-11-02" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { +rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" - hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" - hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" - hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-11-02" + hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-11-02" + hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { +rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-11-02" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" - date = "2023-11-02" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" - date = "2023-11-02" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" - hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-11-02" + hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-11-02" + hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" + hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Netfiltersys_F171 { +rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" - date = "2023-11-02" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-11-02" + hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_F14D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" - hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-11-02" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-11-02" + hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" - hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-11-02" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-11-02" + hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-11-02" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_8047 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" - hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" - date = "2023-11-02" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { +rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-11-02" + hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: @@ -5438,1607 +5917,1485 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { } -rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrRapidStartDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" - hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" - hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" - hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" - hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-11-02" + hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" - date = "2023-11-02" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" - date = "2023-11-02" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { +rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" - hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" - date = "2023-11-02" + hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" - date = "2023-11-02" + hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" - date = "2023-11-02" + hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" + hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { +rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" - hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" - hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" - date = "2023-11-02" + hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-11-02" + hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 600KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A153 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-11-02" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-11-02" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-11-02" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-11-02" + hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-11-02" + hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { +rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" - hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" - date = "2023-11-02" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_CAA8 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" - hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-11-02" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-11-02" + hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 500KB and all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-11-02" + hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" - date = "2023-11-02" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them -} - - -rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_6C5A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" - date = "2023-11-02" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-11-02" + hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { +rule PUA_VULN_Driver_Cn_Computerzsys_3913 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" - hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" - date = "2023-11-02" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { +rule PUA_VULN_Driver_Cn_Computerzsys_767E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-11-02" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-11-02" + hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { +rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" - date = "2023-11-02" + hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-11-02" + hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_A34E { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" - hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" - hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" - date = "2023-11-02" + hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-11-02" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3C7E { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" - hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-11-02" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" - date = "2023-11-02" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-11-02" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_2D83 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" - hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-11-02" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { +rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" - date = "2023-11-02" + hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { +rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-11-02" + hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 800KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-11-02" + hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { +rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-11-02" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { +rule PUA_VULN_Driver_Netfiltersys_EDC6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-11-02" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { +rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" - hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" - date = "2023-11-02" + hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" - hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" - date = "2023-11-02" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" - hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" - date = "2023-11-02" + hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-11-02" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { +rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" - date = "2023-11-02" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_3933 { +rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" - hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" - date = "2023-11-02" + hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" + hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { +rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-11-02" + hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { +rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" - date = "2023-11-02" + hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" - hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" - date = "2023-11-02" + hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-11-02" + hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" - date = "2023-11-02" + hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" - date = "2023-11-02" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { +rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-11-02" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" score = 40 strings: - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them -} - - -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-11-02" + hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-11-02" + hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-11-02" + hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" + hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-11-02" + hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" + hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" - hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" - date = "2023-11-02" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-11-02" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_7553 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-11-02" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-11-02" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" - hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-11-02" + hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_CDFB { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-11-02" + hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { +rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-11-02" + hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { +rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" - date = "2023-11-02" + hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-11-02" + hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { +rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" - hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-11-02" + hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_348D { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" - hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" - date = "2023-11-02" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-11-02" + hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { +rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" - date = "2023-11-02" + hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -7050,7 +7407,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -7066,2515 +7423,2594 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" - hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" - date = "2023-11-02" + hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-11-02" + hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-11-02" + hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 400KB and all of them +} + + +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" - date = "2023-11-02" + hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" + hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" - hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" - date = "2023-11-02" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" - date = "2023-11-02" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-11-02" + hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { +rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-11-02" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" - date = "2023-11-02" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-11-02" + hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-11-02" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-11-02" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-11-02" + hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" - date = "2023-11-02" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" - date = "2023-11-02" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-11-02" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { +rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-11-02" + hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" - date = "2023-11-02" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" - date = "2023-11-02" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-11-02" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" - date = "2023-11-02" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" - date = "2023-11-02" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" - hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" - date = "2023-11-02" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-11-02" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" - hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" - hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" - date = "2023-11-02" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" - hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" - date = "2023-11-02" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-11-02" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" - date = "2023-11-02" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { +rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-11-02" + hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" - hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-11-02" + hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" - date = "2023-11-02" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-11-02" + hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { +rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-11-02" + hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" - date = "2023-11-02" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-11-02" + hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" - date = "2023-11-02" + hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-11-02" + hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" - date = "2023-11-02" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { +rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-11-02" + hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_3F20 { +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" - date = "2023-11-02" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 700KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_837D { +rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" - hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" - date = "2023-11-02" + hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-11-02" + hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-11-02" + hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" + hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" - date = "2023-11-02" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-11-02" + hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-11-02" + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-11-02" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { +rule PUA_VULN_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-11-02" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 900KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-11-02" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-11-02" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" - date = "2023-11-02" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" - date = "2023-11-02" + hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" + hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" + hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" + hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" + hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { +rule PUA_VULN_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" - hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" - date = "2023-11-02" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-11-02" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" - date = "2023-11-02" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" - date = "2023-11-02" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-11-02" + hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 500KB and all of them } -rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { +rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" - hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-11-02" + hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" + hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-11-02" + hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-11-02" + hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" - date = "2023-11-02" + hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" - date = "2023-11-02" + hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B236 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" - hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" - date = "2023-11-02" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-11-02" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { +rule PUA_VULN_Driver_Cn_Computerzsys_DEE3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" - date = "2023-11-02" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-11-02" + hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-11-02" + hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-11-02" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-11-02" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" - hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" - date = "2023-11-02" + hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-11-02" + hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" + hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { +rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-11-02" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { +rule PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-11-02" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" - date = "2023-11-02" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" - date = "2023-11-02" + hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" + hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" + hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-11-02" + hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" - date = "2023-11-02" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" - date = "2023-11-02" + hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" - date = "2023-11-02" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" - date = "2023-11-02" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { +rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-11-02" + hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" + hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-11-02" + hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" - date = "2023-11-02" + hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { +rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-11-02" + hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" - date = "2023-11-02" + hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-11-02" + hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-11-02" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" - hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-11-02" + hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" - date = "2023-11-02" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-11-02" + hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { +rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" - date = "2023-11-02" + hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-11-02" + hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Netfiltersys_79E7 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" - hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" - hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" - date = "2023-11-02" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { +rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-11-02" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-11-02" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-11-02" + hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" - date = "2023-11-02" + hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-11-02" + hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-11-02" + hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-11-02" + hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" - date = "2023-11-02" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { +rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" - date = "2023-11-02" + hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-11-02" + hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { +rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-11-02" + hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { +rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" - date = "2023-11-02" + hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 600KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-11-02" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { +rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-11-02" + hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" - date = "2023-11-02" + hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-11-02" + hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-11-02" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -9584,7 +10020,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -9600,179 +10036,114 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { } -rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-11-02" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them -} - - -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-11-02" + hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" + hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" - date = "2023-11-02" + hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { +rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" - hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" - date = "2023-11-02" + hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" - hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" - date = "2023-11-02" + hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } @@ -9782,7 +10153,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-11-02" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -9798,280 +10169,263 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" - date = "2023-11-02" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-11-02" + hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 500KB and all of them } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-11-02" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-11-02" + hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-11-02" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-11-02" + hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-11-02" + hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { +rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" - date = "2023-11-02" + hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" + hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" - date = "2023-11-02" + hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" - date = "2023-11-02" + hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" - date = "2023-11-02" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ @@ -10081,767 +10435,762 @@ rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { } -rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-11-02" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { +rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" - date = "2023-11-02" + hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" - date = "2023-11-02" + hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" - date = "2023-11-02" + hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-11-02" + hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { +rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-11-02" + hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" + hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" - date = "2023-11-02" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-11-02" + hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-11-02" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" - date = "2023-11-02" + hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { +rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" - date = "2023-11-02" + hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { +rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-11-02" + hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" - date = "2023-11-02" + hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - date = "2023-11-02" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" - date = "2023-11-02" + hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { +rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" - date = "2023-11-02" + hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { +rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-11-02" + hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" - date = "2023-11-02" + hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { +rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" - date = "2023-11-02" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-11-02" + hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { +rule PUA_VULN_Driver_Lowleveldriver_F941 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" - date = "2023-11-02" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" - date = "2023-11-02" + hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-11-02" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { +rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-11-02" + hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" + hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-11-02" + hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { +rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-11-02" + hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" - date = "2023-11-02" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Cn_Computerzsys_D9A7 { +rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" - hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" - date = "2023-11-02" + hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { +rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-11-02" + hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" + hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { +rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-11-02" + hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 400KB and all of them } -rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" - date = "2023-11-02" + hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 200KB and all of them } -rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { +rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-11-02" + hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 1000KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-11-02" + hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-11-02" + hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them } -rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-11-02" + hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ @@ -10851,221 +11200,286 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } -rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { +rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" - date = "2023-11-02" + hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { +rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" - date = "2023-11-02" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { +rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-11-02" + hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-11-02" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-11-02" + hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - date = "2023-11-02" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-11-02" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-11-02" + hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-11-02" + hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { +rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-11-02" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } + + +rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +}